8349583: Add mechanism to disable signature schemes based on their TLS scope

[vieiro]

Backport of JDK-8349583 from JDK17, a first step to disable SHA-1 in TLS/DTLS 1.2 handshake signatures to comply with the Oracle JRE Cryptographic Roadmap, to be followed with JDK-8340321.

Backport is not clean, as there're significant changes from JDK17.

To ease review, three additional commits adapt the backport to JDK11, which is missing JDK-8284047 (2nd commit) and JDK-8288209 (3rd commit). Also JDK11 is missing ByteBuffer.slice(int, int) (4th commit).

Tested on Linux with tier1 tests and with run-test-jdk_security:

==============================
Test summary
==============================
   TEST                                              TOTAL  PASS  FAIL ERROR   
   jtreg:test/jdk:jdk_security                        1365  1365     0     0   
==============================
TEST SUCCESS

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• JDK-8349583 needs maintainer approval
• Change requires CSR request JDK-8350902 to be approved

Issues

• JDK-8349583: Add mechanism to disable signature schemes based on their TLS scope (Enhancement - P2)
• JDK-8350902: Add mechanism to disable signature schemes based on their TLS scope (CSR)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk11u-dev.git pull/3130/head:pull/3130
$ git checkout pull/3130

Update a local copy of the PR:
$ git checkout pull/3130
$ git pull https://git.openjdk.org/jdk11u-dev.git pull/3130/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 3130

View PR using the GUI difftool:
$ git pr show -t 3130

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk11u-dev/pull/3130.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back avieiro! A progress list of the required criteria for merging this PR into pr/3126 will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[vieiro]

NOTE: This one on top of #3126 , which introduces some tests required in this backport.

[openjdk]

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[mlbridge]

Webrevs

• 02: Full (fd51b946)
• 01: Full - Incremental (7205569d)
• 00: Full (7205569d)

[openjdk-notifier]

The parent pull request that this pull request depends on has now been integrated and the target branch of this pull request has been updated. This means that changes from the dependent pull request can start to show up as belonging to this pull request, which may be confusing for reviewers. To remedy this situation, simply merge the latest changes from the new target branch into this pull request by running commands similar to these in the local repository for your personal fork:

git checkout backports/JDK-8349583
git fetch https://git.openjdk.org/jdk11u-dev.git master
git merge FETCH_HEAD
# if there are conflicts, follow the instructions given by git merge
git commit -m "Merge master"
git push

[openjdk]

@vieiro this pull request can not be integrated into master due to one or more merge conflicts. To resolve these merge conflicts and update this pull request you can run the following commands in the local repository for your personal fork:

git checkout backports/JDK-8349583
git fetch https://git.openjdk.org/jdk11u-dev.git master
git merge FETCH_HEAD
# resolve conflicts and follow the instructions given by git merge
git commit -m "Merge master"
git push

[vieiro]

Some tests fail. Let's keep this as draft for the moment.

[vieiro]

Re-testing with run-test-jdk_security after the merge shows three errors:

==============================
Test summary
==============================
   TEST                                              TOTAL  PASS  FAIL ERROR   
>> jtreg:test/jdk:jdk_security                        1367  1364     3     0 <<
==============================
TEST FAILURE

Namely:

• javax/net/ssl/ciphersuites/DisabledAlgorithms.java: Check if weak cipher suites are disabled
• javax/net/ssl/ciphersuites/TLSWontNegotiateDisabledCipherAlgos.java#Client: Verify that Java will not negotiate disabled cipher suites when the other side of the connection requests them.
• javax/net/ssl/ciphersuites/TLSWontNegotiateDisabledCipherAlgos.java#Server: Verify that Java will not negotiate disabled cipher suites when the other side of the connection requests them.

These errors are unrelated, and seem to have been introduced in this recently closed PR